I tried the following as suggested (removing 53 as this is not a dns server): *mangle :PREROUTING ACCEPT [6:948] :INPUT ACCEPT [6:948] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7:3269] :POSTROUTING ACCEPT [7:3269] COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,25,80,110,873,993,10000 -m state --state NEW -j ACCEPT -A INPUT -p udp -m multiport --dports 123,873 -m state --state NEW -j ACCEPT -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset COMMIT However - this seemed to completely lock down the server - I could not access it via port 1000 or http 80, and it would not accept mail for delivery (smtp) - not exactly sure what happened. I had to physically go to the server, and do a "service iptables stop" to regain access and allow mail. I'll do some searching for Jane Dow's example, and read again the netfilter how-to's and see what I can come up with. Thanks, Scott Miller -----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Mike Wright Sent: Friday, March 27, 2009 12:59 PM To: Mike Wright Cc: netfilter@xxxxxxxxxxxxxxx Subject: Re: Verify rules Mike Wright wrote: > Scott Miller wrote: >> Thanks for the suggestions - I now have the following, combining two >> replies >> I received. > you may also want to rate limit the number of attempts from the same IP > to connect to SSH or you WILL get hammered. If you search the archives > I think *Joanne Dow* posted an example of how to do so. oops! *Joanne Dow* posted an example of how to do so on the fedora-list. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.28/2022 - Release Date: 03/27/09 07:13:00 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
